secure the grpc client (#1215)

* secure the grpc client

* make compile

* Add system cert pool

* Revert manually adding ca certs

* Tweak comment

Co-authored-by: ben-toogood <bentoogood@gmail.com>
This commit is contained in:
Asim Aslam 2020-02-19 08:44:35 +00:00 committed by Vasiliy Tolstov
parent b00167520c
commit f91ec84d59

30
grpc.go
View File

@ -5,7 +5,9 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"net"
"os" "os"
"strings"
"sync/atomic" "sync/atomic"
"time" "time"
@ -36,14 +38,36 @@ func init() {
} }
// secure returns the dial option for whether its a secure or insecure connection // secure returns the dial option for whether its a secure or insecure connection
func (g *grpcClient) secure() grpc.DialOption { func (g *grpcClient) secure(addr string) grpc.DialOption {
// first we check if theres'a tls config
if g.opts.Context != nil { if g.opts.Context != nil {
if v := g.opts.Context.Value(tlsAuth{}); v != nil { if v := g.opts.Context.Value(tlsAuth{}); v != nil {
tls := v.(*tls.Config) tls := v.(*tls.Config)
creds := credentials.NewTLS(tls) creds := credentials.NewTLS(tls)
// return tls config if it exists
return grpc.WithTransportCredentials(creds) return grpc.WithTransportCredentials(creds)
} }
} }
// default config
tlsConfig := &tls.Config{}
defaultCreds := grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))
// check if the address is prepended with https
if strings.HasPrefix(addr, "https://") {
return defaultCreds
}
// if no port is specified or port is 443 default to tls
_, port, err := net.SplitHostPort(addr)
// assuming with no port its going to be secured
if port == "443" {
return defaultCreds
} else if err != nil && strings.Contains(err.Error(), "missing port in address") {
return defaultCreds
}
// other fallback to insecure
return grpc.WithInsecure() return grpc.WithInsecure()
} }
@ -116,7 +140,7 @@ func (g *grpcClient) call(ctx context.Context, node *registry.Node, req client.R
grpcDialOptions := []grpc.DialOption{ grpcDialOptions := []grpc.DialOption{
grpc.WithDefaultCallOptions(grpc.ForceCodec(cf)), grpc.WithDefaultCallOptions(grpc.ForceCodec(cf)),
grpc.WithTimeout(opts.DialTimeout), grpc.WithTimeout(opts.DialTimeout),
g.secure(), g.secure(address),
grpc.WithDefaultCallOptions( grpc.WithDefaultCallOptions(
grpc.MaxCallRecvMsgSize(maxRecvMsgSize), grpc.MaxCallRecvMsgSize(maxRecvMsgSize),
grpc.MaxCallSendMsgSize(maxSendMsgSize), grpc.MaxCallSendMsgSize(maxSendMsgSize),
@ -194,7 +218,7 @@ func (g *grpcClient) stream(ctx context.Context, node *registry.Node, req client
grpcDialOptions := []grpc.DialOption{ grpcDialOptions := []grpc.DialOption{
grpc.WithDefaultCallOptions(grpc.ForceCodec(wc)), grpc.WithDefaultCallOptions(grpc.ForceCodec(wc)),
grpc.WithTimeout(opts.DialTimeout), grpc.WithTimeout(opts.DialTimeout),
g.secure(), g.secure(address),
} }
if opts := g.getGrpcDialOptions(); opts != nil { if opts := g.getGrpcDialOptions(); opts != nil {